IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth vs OAuth2 in Authorization header

Blaine Cook <romeda@gmail.com> Thu, 15 July 2010 15:13 UTC

Return-Path: <romeda@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 67B753A6B35 for <oauth@core3.amsl.com>; Thu, 15 Jul 2010 08:13:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j5BTfMYRb0Bm for <oauth@core3.amsl.com>; Thu, 15 Jul 2010 08:13:57 -0700 (PDT)
Received: from mail-pv0-f172.google.com (mail-pv0-f172.google.com [74.125.83.172]) by core3.amsl.com (Postfix) with ESMTP id 79AAA3A6AC6 for <oauth@ietf.org>; Thu, 15 Jul 2010 08:13:57 -0700 (PDT)
Received: by pvd12 with SMTP id 12so430709pvd.31 for <oauth@ietf.org>; Thu, 15 Jul 2010 08:14:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=QCAUobId90gixkyEgmTqwDxFYfWT7iNgWLKxSb7342c=; b=Zwv5dXvMrTE9B32RPSPiQKRI7zUXKHYngFPGSscnHZnGysiK9c74oa87VW6EiOnWEg pollWFl6puEavWyuIHja3zlQlzpnXNPxaRII1Y7C4t9NjRpNs1vQhKEP7fKJdxBOHDKE 61O2eGccYaq7CT9/Vu/fh2yiKVwA3tYlSm+n4=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=PgieteeinkfbDIgJ19MbCXUeoVWK2gfQYMOYYfDFFbk06ou/lOzKoFlYk5cYIcIwea ZGghOJv/H7IzwpTfuOtOUK+jRXHNQj7xgylEFZCycf5K9qDPXTDBnaGgztgfkon93qms T8Yx/ZQavFR7d/ltzaAXrpkXgWAhS/cicX1Po=
Received: by 10.142.233.21 with SMTP id f21mr24088356wfh.20.1279206844508; Thu, 15 Jul 2010 08:14:04 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.143.8.6 with HTTP; Thu, 15 Jul 2010 08:13:40 -0700 (PDT)
In-Reply-To: <1279205969.18579.55.camel@localhost.localdomain>
References: <AANLkTim6az--AdwmEoew2pz3kEjhc_GyEaiyo_0UhSRr@mail.gmail.com> <1279205969.18579.55.camel@localhost.localdomain>
From: Blaine Cook <romeda@gmail.com>
Date: Thu, 15 Jul 2010 16:13:40 +0100
Message-ID: <AANLkTilMjP2WZFmLFCOlm1YnbwX2ZFcTmixSo7D_R6Qf@mail.gmail.com>
To: Justin Richer <jricher@mitre.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth vs OAuth2 in Authorization header
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jul 2010 15:13:59 -0000

On 15 July 2010 15:59, Justin Richer <jricher@mitre.org> wrote:
> +1 on OAuth2 header, and I also want to see oauth2_token in URI and form
> parameter methods.
>
> 1.0 clients will talk to systems that support both oauth2 and oauth1
> simultaneously. Most likely on the same PR endpoints as well. Since the
> protocols are not backwards compatible, they should be able to coexist.

I tend to agree with Eran here – 1.0 clients talking to systems that
support both OAuth 2 and OAuth 1 will notice no difference. The server
will have to switch protocol handling, but can do so on the presence
of OAuth 1 or OAuth 2-specific parameters. Clients using OAuth 1.0
shouldn't have to do anything, and shouldn't notice any change.

This absolutely makes things a tiny bit more complicated for service
providers that have already deployed OAuth 1 services and wish to move
to OAuth 2, but frankly if the provider can't figure it out, they have
larger problems (unless someone can provide a really compelling reason
why switching in this way is actually really hard, I just can't buy
it).

OAuth is dead, long live OAuth. Right? I mean, you don't move the
White House to another address every time you get a new president...

b.

v2.38.3 | Report a Bug | By Email | System Status